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Printing History 

The manual printing date and part number indicate its current edition. 
The printing date will change when a new edition is printed. Minor 
changes may be made at repri nt without changi ng the pri nti ng date. The 
manual part number will change when extensive changes are made. 

Manual updates may be issued between editions to correct errors or 
document product changes. To ensure that you receive the updated or 
new editions, you should subscribe to the appropriate product support 
service. See your HP sales representative for details. 

First Edition: September 1999 (HP-UX Release 10.20) 

Product Numbers 


Description 

Number 

LDAP-UX Integration (NIS/LDAP Gateway server B.01.00 and 
LDAP-UX Client Administration Tools B.01.00) 

J4269AA 


Related Documentation 

For additional information, see the following: 

• NIS/LDAP Gateway ReleaseNotes (J 4269-90002) available at 
http://docs.hp.eom/hpux/i nternet. 

• NIS/LDAP Gateway README file available after you install the 
product at /opt/ldapux/READM E-ypIdapd. 

• Client Administration Tools READM E file available after you install 
the product at /opt/ldapux/READM E-client. 

• I nstalling and Administering NFS Services discusses NIS available 
at http://docs.hp.com/hpux/communications. 

• Netscape Directory Server Administrator's Guideand othertitles 
available at http://docs.hp.com/hpux/internet. 

• Manual pages using the man(l) command ypldapd(8), ypserv(lM), 
ypfiles(4) and other related NIS man pages. 
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Overview of NI S/LDAP Gateway 


1 


This chapter provides a high level overview of what the NI S/LDAP 
Gateway product is and how it works. 

The NI S/LDAP Gateway is a Network Information Service (N IS) server 
that uses an LDAP directory as its information source instead of NIS 
map files. The Gateway accepts NIS client requests for information, gets 
the information from an LDAP directory, and returns the information to 
the NlS clients. It effectively replaces your NIS servers and map files 
with an NI S/LDAP Gateway server and an LDAP directory. Existing NIS 
clients transparently use an LDAP directory to resolve user, group, host 
and other information. 

Used in conjunction with LDAP server technologies, such as Netscape's 
Directory Server, the NI S/LDAP Gateway can consolidate credentials 
and allow a single password per user to be shared among multiple 
platforms and applications. 

The hierarchical and distributed nature of LDAP is substantially more 
scalable than the flat, single domain policy of NIS. The NI S/LDAP 
Gateway allows your organization to leverage the seal ability and 
distributed nature of LDAP directory services, while maintaining an 
existing NIS infrastructure. 


NOTE The N I S/LDAP Gateway does not include an LDAP directory server. You 

can obtain the si ngl e-server Netscape Directory Server 4.x for H P-UX - 
Lite Edition from http://www.software.hp.com, or the fully functioning 
directory server from your local H P sales office. Other directories that 
support LDAP can also be used with this product. 


Comparing NIS and NI S/LDAP Gateway 

This section describes the NI S/LDAP Gateway environment, compares it 
to NIS, and gives an overview of the steps for migratingtotheNIS/LDAP 
Gateway. 
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Figure 1-1 


Overview of NIS/LDAP Gateway 

Comparing NIS and NIS/LDAP Gateway 


The following diagram shows a typical NIS environment: 

Typical NIS Environment 



password 

with 

yppasswd 


NIS Requests 



In this NIS environment, the master map files reside on the NIS master 
server. Copies of these map files are periodically transferred to the NIS 
slave systems. The NIS servers run the ypserv daemon which serves the 
information requested by clients. NIS clients run theypbind daemon 
which establishes a connection to an NIS server, enabling client 
processes to get information from the NIS server. Users can change their 
passwords usi ng the yppasswd command. 
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Overview of NIS/LDAP Gateway 

Comparing NIS and NIS/LDAP Gateway 


The foil owing diagram shows what this environment might look like 
when converted to an NI S/LDAP Gateway environment: 

Figure 1-2 NIS/LDAP Gateway Environment 
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I n the NI S/LDAP Gateway environment, four main differences exist: 

1. An LDAP directory replaces your NIS master server and NIS maps. 
Map files and map transfers are no longer needed. LDAP replication 
uses more efficient updates instead of complete map builds and 
transfers. 

2. All NIS slave servers become NI S/LDAP Gateway servers. The 
NIS/LDAP Gateway servers run the ypldapd daemon, rather than the 
ypserv daemon, ypldapd requests information from the LDAP 
directory and serves the information back to the Nl S clients. 
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Overview of NIS/LDAP Gateway 

Summary of Installing and Configuring 


3. NIS clients continue to run the ypbind daemon, which establishes a 
connection to an NI S/LDAP Gateway server, enabling client processes 
to get information from the LDAP directory. 

4. Users change their passwords using the Idappasswd command or an 
LDAP administration tool such as a web browser rather than the 
yppasswd command. Users must use an LDAP administration tool 
such as a web browser to change their personal information instead of 
chfn(l) and chsh(l). 

Summary of Installing and Configuring 

The fol lowi ng summari zes the steps to take when movi ng to an 

NIS/LDAP Gateway environment. 

• Install and configure an LDAP directory. 

• I nstal I and configure the NIS/L DAP Gateway. 

• Migrate your NIS map information to your directory. 

• I nstal I Idappasswd on your NIS client systems, if desired. 

• Stop the NIS server daemon, ypserv, if necessary 

• Start the NI S/LDAP Gateway daemon, ypldapd. 

These steps, plus verification and testing steps, aredescribed in detail in 

Chapter 2 , "I nstal ling the NIS/LDAP Gateway," on page 17. 
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Overview of NIS/LDAP Gateway 

The NIS/LDAP Gateway Components 


Table 1-1 


The NIS/LDAP Gateway Components 


The NIS/LDAP Gateway product, comprising the following components, 
can be found under /opt/Idapux/ypldapd, except where noted. 

NIS/LDAP Gateway Components 


Component 

Description 

ypldapd 

The daemon that replaces the ypserv daemon and 
serves NIS requests from NIS clients. 

ypldapd.conf 

The NIS/LDAP Gateway configuration file. 

namingcontexts .conf 

Configuration file that specifies where in the LDAP 
directory each NIS map is. 

init.d 

Contains start-up files. 

lib 

Contains libraries used by ypldapd. 

slapd-v2.nis.conf, 

slapd-v3.nis.conf 

The directory schema for posix account and other 
information (RFC 2307) required by the NIS/LDAP 
Gateway. LDAP version 2 and version 3. 

ypldapd.8 

The ypldapd( 8) man page. 


The installation process copies the automatic start-up file to 
/etc/rc.config.d/ypldapd and the manual start-up file to 
/sbin/init.d/ypldapd. 
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Client Administration Tools 


Table 1-2 


Client Administration Tools 


TheClient Administration Tools listed below can be found under 
/opt/I dapux. 

Client Administration Tools 


Component 

Description 

ldapdelete 

Allows you to delete entries in the directory. 

ldapmodify 

Allows you to add, delete, modify, or rename 
directory entries. All operations are specified 
using LDIF update statements. 

ldappasswd 

Changes passwords in the directory. Replaces 
yppasswd. 

ldapsearch 

Allows you to search the directory. Returns 
results in LDIF format. 

migrate_all_online. sh 

Migrates files to LDIF or to an LDAP directory. 
Uses perl scripts listed below. 

migrate_all_nis_online. sh 

Migrates NIS maps to LDIF or to an LDAP 
directory. Uses perl scripts listed below. 

migrate_aliases.pl 

Migrates /etc/aliases to LDIF. 

migrate_base.pl 

Creates base DN information. 

migrate_common. ph 

Routines used by other migration scripts. 

migrate_fstab.pl 

Migrates /etc/fstab to LDIF. 

migrate_group.pl 

Migrates /etc/groups to LDIF. 

migrate_hosts.pl 

Migrates /etc/hosts to LDIF. 

migrate_netgroup.pl 

Migrates /etc/netgroup to LDIF. 

migrate_netgroup_byhost.pl 

Migrates netgroup.byhost NIS map to LDIF. 

migrate_netgroup_byuser. pi 

Migrates netgroup.buyser NIS map to LDIF. 
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Client Administration Tools 


Table 1-2 


Client Administration Tools 


Component 

Description 

migrate_networks.pl 

Migrates /etc/networks to LDIF. 

migrate_passwd.pl 

Migrates /etc/passwd to LDIF. 

migrate_protocols.pl 

Migrates /etc/protocols to LDIF. 

migrate_rpc.pl 

Migrates /etc/rpc to LDIF. 

migrate_services.pl 

Migrates /etc/services to LDIF. 

perl, version 5 

Used by all the migration scripts. 

README-client, 

README-ypldapd 

Additional documentation files. 

Contributed tools 

Unsupported tools in /opt/ldapux/contrib. See 
the file /opt/ldapux/contrib/bin/README for 
details. 
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Installing the NlS/LDAP 
Gateway 


This chapter describes the decisions you need to make and the steps you 
need to take to install and configure the NI S/LDAP Gateway. 


Before You Begin 

This section lists somethings to keep in mind as you plan your 

installation. 

• You must have an LDAP directory. You can obtain the single-server 
Netscape Directory Server for HP-UX - Lite Edition, from 
http://www.software.hp.com, or the fully functioning directory server 
from your local H P sales office. You can view the documentation at 
http://docs.hp.com/hpux/internet. If you have another directory, 
consult the documentation for your directory. 

• See the N IS/ LDAP Gateway Release Notes (part number 
J 4269-90002) for additional information. 

• Most examples here use the Netscape Directory Server for H P-UX 
and assume you have some knowledge of this directory and its tools, 
such as the Directory Console and Idapsearch. If you have another 
directory, consult your directory's documentation for specific 
information. 

• The foil owing steps assume you want to emulate the Nl S 
environment on H P-UX as closely as possible. You have a lot of 
flexibility to do things differently. Modify these steps as needed for 
your environment. 

• The examples use a root DN of o=hp.com for illustrative purposes. 


Plan Your Installation and Testing 

Before beginning your installation, you should plan how you will set up 
and test your NI S/LDAP Gateway environment before putting it into 
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Installing the NIS/LDAP Gateway 

Plan Your Installation and Testing 


production. This will be similar to the process used to set up and test an 
NIS environment. Consider the following questions: 

• How many LDAP directory servers and replicas will you need? 

Each NIS/LDAP Gateway server binds to an LDAP directory server 
containing your NIS data. Multiple NIS/LDAP Gateway servers can 
bind to a single directory server or replica server. The answer 
depends on your environment, the size and configuration of your 
directory and how many users you have. Depending on these factors, 
you may have anywhere from ten to over one hundred NI S/LDAP 
Gateway servers for each LDAP directory server. 

• H ow many NIS/L DAP Gateway servers wi 11 you need? 

This also depends on your environment. A rule of thumb might be to 
have the same number of NI S/LDAP Gateway servers as you have 
NIS servers currently. 

• Where will you get your NIS data from when migrating it to the 
directory? 

You can get it from the same source files you create your NIS maps 
from or you can get it from your NIS maps themselves. The key is to 
use up-to-date information. You will probably need to keep your NIS 
maps and your directory in sync for a time while testing. One of the 
contributed tools, Idifdiff, can help you keep your data in sync. 

• Wherein your directory will you put your NIS data? 

If you are starting with a brand new directory, you will create a new 
subtree. I f you al ready have a di rectory, you can pi ace your NIS data 
in a separate, new subtree of the directory. Or you can merge your 
NIS data into your existing directory. 

• How will you put your NIS data into your directory? 

If you are starting with a brand new directory, the migration scripts 
can build a new directory subtree for your NIS data. 

If you have an existing directory and you decide to place your NIS 
data into a new, separate subtree, the migration scripts can build and 
populate this subtree. 

If you merge your NIS data into an existing directory, the migration 
scripts can create LDIF files of your NIS data, but you will have to 
write your own scripts or use other tools to merge the Nl S data into 
your directory. 


18 


Chapter 2 



Installing the NIS/LDAP Gateway 
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• H ow wi 11 you test your NIS/L DAP Gateway envi ronment? 

You may want to set up a separate group of systems to test it on. Or 
you could install the NI S/LDAP Gateway on one of your existing NIS 
servers or some other system but use a new domain just for testing. 
Then change one or more existing NIS clients’ domains to the new 
domain for testing. When you have things set up and working 
correctly, change the NIS/LDAP Gateway domain to your production 
domain. You can use ypset(lM) to force one or more clients to bind to 
the NI S/LDAP Gateway for testing. If you encounter problems, you 
can stop the NI S/LDAP Gateway and restart ypserv. You can migrate 
one NIS server at a ti me to the NI S/L DAP Gateway, testi ng each as 
you go. 


NOTE You cannot run an NI S server (ypserv) and an NI S/LDAP Gateway 

server (ypldapd) si multaneously on the same system. 


• How will you communicate with your user community about the 
change? How will your users change their personal information such 
as passwords, login shell, and finger(l) information? 

You can install Idappasswd on your NIS client systems to replace 
yppasswd. Or you can create or purchase web-based tools your users 
can use to update their passwords and other information in the 
directory. Note that at this release, theH P-UX commands chsh(l) and 
chfn(l) do not change information in the directory. 


NOTE The csh(l) shell and finger(l) command request the entire contents of the 

passwd map for certain operations which may result in a performance 
bottleneck. For this reason, you may want to restrict use of csh(l) and 
finger(l). See "Minimizing Enumeration Requests" on page 31 for more 
information. 


• How will you put your NIS/LDAP Gateway into production after 
testing? 

One possi ble way is to convert each NIS server to an NI S/L DAP 
Gateway server, one server at a time, one subnet at a time. When you 
are confident that server is working, convert the next NIS server to 
the NIS/LDAP Gateway. During the transition, you will probably 
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Installing the NIS/LDAP Gateway 

Configure Your Directory 

need to keep your NIS maps and your directory in sync. 

Another possible way is to create a new domain and convert each 
client to the new domain. 


Configure Your Directory 

This section describes how your directory needs to be configured to work 
with the NI S/LDAP Gateway. Examples are given for Netscape Directory 
Server for H P-U X. I f you have a different di rectory, see the 
documentation for your directory for details on how to configure it as 
described here. 

Step 1. Install the posix schema (RFC 2307) into your directory. 

If you have Netscape Directory Server 4.0 for H P-UX or later, the posix 
schema is already installed. 

For other directories, you can install the schema from 
/opt/ldapux/ypldapd/etc/slapd-v3.nis.conf for version 3 LDAP directories 
and/opt/ldapux/ypldapd/etc/slapd-v2.nis.conf for version 2 LDAP 
directories. Depending on the directory you have, include a line I ike one 
of the foil owing in your configuration file: 

include /opt/ldapux/ypldapd/etc/slapd-v3.nis.conf 
include /opt/ldapux/ypldapd/etc/slapd-v2.nis.conf 

For information on the posix schema (RFC 2307), see http://www.ietf.org. 
Step 2. Restrict write access to certain passwd attributes of the posix schema. 


CAUTION Make sure you restrict access to the attributes listed below. Allowing 

users to change them could be a security risk 


Grant write access of the uidnumber, gidnumber, homedirectory, and uid 
attributes only to the directory administrator; disallow write access by 
all other users. Set up access control lists (ACL) so ordinary users cannot 
change these attributes in their password entry in the directory. With 
Netscape Directory Server for FI P-UX, you can use the Netscape Console 
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or Idapmodify. 

The following access control instruction (ACI) is by default at the top of 
the directory tree for a 4.x Netscape directory This ACI allows a user to 
change any attribute in their password entry: 

aci: (targetattr = "*") (version 3.0; acl "Allow self entry modification"; 
allow (write)userdn = "ldap:///self";) 

Modify this ACI to the foil owing, which prevents ordi nary users from 
changing their uidnumber, gidnumber, homedirectory and uid 
attributes: 

aci: (targetattr != "uidnumber || gidnumber || homedirectory || uid") (version 
3.0; acl "Allow self entry modification, except for important posix attributes"; 
allow (write)userdn = "ldap:///self";) 

You may want to restrict write access to other attributes in the password 
entry as well. 

Step 3. Restrict write access to certai n group attri butes of the posix schema. 

Grant write access of the cn, memberuid, gidnumber, and userpassword 
attributes only to the directory administrator; disallow write access by 
all other users. Set up access control lists (ACL) so ordi nary users cannot 
change these attributes in the posixGroup entry in the directory. With 
Netscape Directory Server for HP-UX, you can use the Netscape Console 
or Idapmodify. 

For example, the following ACI, placed in the directory at ou=groups, 
ou=nis, o=hp. com, only allows the directory administrator to modify 
entries below ou=groups,ou=nis,o=hp.com: 

aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group 
entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators, 
o=hp.com");) 

Step 4. Grant read access of attributes of the posix schema. 

Grant read access of all posix attributes to all users. If you have 
Netscape Directory Server for HP-UX, you can skip this step since it is 
the default for a typical installation. Ifyou have another directory, make 
sure all users have read access to the posix attributes. 

Step 5. Establish UNIX crypt as the default encryption. 

Netscape's default is SHA (Secure Hash Algorithm) encryption. With the 
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Netscape Directory Console, you can select the Configuration tab, then 
select the "Database" object, then the Passwords tab, and change the 
Password encryption field. 

Step 6. I ndex important entries for better performance. 

Since many of your directory requests will be for the attributes listed 
below, you should i ndex these to i mprove performance. I f you don't i ndex, 
your directory may search sequentially causing a performance 
bottleneck. 

I ndex on the fol I owi ng attri butes: 

• cn 

• object cl ass 

• memberuid 

• uidnumber 

• gidn umber 

• uid 

To index these entries with Netscape Directory Server, use the Console, 
Configuration tab, I ndexes tab, Add Attributes button. 

Step 7. Create a proxy user. 

Create a proxy user the NI S/LDAP Gateway will use to bind to the 
directory. With Netscape Directory Server for HP-UX, use the Netscape 
Console, Users and Groups tab, Create button. 

Step 8. Set access permissions for the proxy user. 

Give the proxy user (created in step 7 above) read permission for the 
userpassword attribute in the directory. Since the NI S/LDAP Gateway 
daemon, ypldapd, will authenticate to the directory as the proxy user, 
this user needs to be able to read the passwords. The fol lowing example 
ACI gives the proxy user, ypldap_proxy, permission to compare, read, and 
search user passwords: 

aci:(target="ldap:///ou=raptor,ou=labteam,o=hp.com")(targetattr="userpassword") 
(version 3.0; aci "ypldapd Proxy userpassword read rights"; allow 
(compare,read,search) userdn = "ldap:///uid=proxy-user,ou=people,o=hp.com"; ) 

Step 9. For larger directories, increase the Look-through limit. 

The Look-through limit specifies the maximum number of directory 
entries to examine before aborting the search operation. The default for 
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Netscape Directory Server 4.x for H P-UX is 5000. If you have a large 
directory, (greater than 2000 entries, for example), you may want to 
increase this. This will be less of a problem for indexed entries since the 
search would examine fewer entries. 

To change this limit in Netscape Directory Server using the Directory 
Console, use the Configuration tab, select the "Database" object, the 
Performance tab, and edit the Look-through limit text box. 

Step 10. For larger directories, increase the Size limit. 

The size limit determines the maximum number of entries to return 
to any query before aborting. The default for Netscape Directory Server 
4.x for HP-UX is 2000. If you have a large directory, (greater than 2000 
entries, for example), you should increase this. 

To change this limit in Netscape Directory Server using the Directory 
Console, use the Configuration tab, select the server name, the 
Performance tab, and edit the size limit text box. 


Install the NIS/LDAP Gateway on Your Server 

Use swi nstall(lM) to install theNIS/LDAP Gateway software and the 
Client Administration Tools. Seethe NIS/ LDAP Gateway Release Notes 
for any last-minutechangestothis procedure. You can install the 
Nl S/LDAP Gateway server and the LDAP-UX Client Administration 
Tools. 


Import NIS Data into Your Directory 

The next step is to import your NIS data into your LDAP Directory. How 
you do this depends on several factors. Here are some considerations 
when planning this: 

• The migration scripts take your NIS information and generate LDIF 
files. These scripts can then import the LDI F files into your directory, 
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creating new entries in the directory. This only works if you are 
starting with an empty directory or creating an entirely new subtree 
in your directory for your NIS data. 

• Your directory architect needs to decide where in your directory to 
place your NIS information. Here are some possibilities: 

— Create a separate subtree for NIS data - The migration scripts can 
import all your NIS data into the separate subtree. 

— IntegratetheNIS information intoyour directory - The migration 
scripts may be helpful depending on where you put the Nl S data 
in your directory. You could use them just to generate LDIF, edit 
the LDI F, then import the LDI F into your directory. 

Steps to Importing Your NIS Data into Your Directory 

Here are the steps to importing your NIS data into your directory. Modify 
them as needed depending on your directory. 

Step 1. Determine which of your NIS maps you will migrate to your directory. 

ypwhich -m gives a list of maps and their master server. The maps are 
typically in /var/yp / <domainname> . On your client systems, the file 
/etc/nsswitch.conf determines which NIS files the client is using. 

Step 2. Decide which migration method and scripts you will use. See "NI S to 
LDAP Migration Scripts" on page 41 for a complete description of the 
scripts, what they do, and how to use them. Modify the migration scripts, 
if needed. 

Step 3. Back up your directory, if needed. 

Step 4. Run the migration scripts. 

Step 5. If the method you used above did not already do so, import the LDI F file 
into your directory. 


Configure the NIS/LDAP Gateway 

Use the foil owing steps to configure your NIS/LDAP Gateway to work 
with your di rectory server and your NIS domai n. 
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Step 1. Edit the configuration file, /opt/ldapux/ypldapd/etcyypldapd.conf, and set 

the appropriate values. Use the comments in the file as a guide. See also 

"Configuration Parameters" on page 45 for details on all the parameters. 

Provide values at least for the foil owing: 

ypdomai n The NIS domai n name. 

binddn The directory user the NIS/LDAP Gateway will bind to 

the directory as. You created a proxy user for this 
purpose in step 7 under "Create a proxy user," on page 
22 . 

bi ndcred The password for the proxy user. 

basedn The Distinguished Name in your directory where the 

NIS/LDAP Gateway should begin all searches. 


CAUTION The file ypldapd.conf contains the proxy user's password and could 

represent a security risk. Restricting the permissions on this file reduces 
this risk. 


For testing, you can set ypdomain to a new domain, then set the domain 
name of your test clients to that domain. When you finish testing, set it 
to your production domain. 

After you modify the configuration file, you can copy it to your other 
NI S/L DAP Gateway servers. 

Step 2. Verify that the proxy user can read passwords from your directory. 

The following command 

ldapsearch -D "uid=proxy-user,ou=people,o=hp.com" -h servername -w passwd -b 
o=hp.com uid=username 

bi nds to the di rectory as the proxy user and reads the entry for the user 
username. Change this example to use your proxy user, server, base DN, 
and user. 

You should get output with a line I ike the foil owing: 

userpassword={crypt}d921F18SMksl2k24 

If you don't, your proxy user may not be configured properly. Make sure 
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you have access permissions set correctly for the proxy user. See 
'Troubleshooting'' on page 33 for more information. 

Step 3. If you want the NI S/LDAP Gateway to automatically restart after 
rebooting your system, edit thefile/etc/rc.config.d/ypldapd and set 
YPLDAPD=1. 

If you do this, you should also edit /etc/rc.config.d/namesvrs and set 
NIS_MASTER_SERVER=0 and NIS_SLAVE_SERVER=OsotheNIS 
server does not automatically restart after rebooting. 


Start the NIS/LDAP Gateway Server Daemon 

Step 1. If the Nl S daemon is running on the same system as your NI S/LDAP 
Gateway server, stop the NIS daemon: 

/sbin/init.d/nis.server stop 

Step 2. Start the NI S/LDAP Gateway daemon. If YPLDAPD=0 in the file 
/etc/rc.config.d/ypldapd, use the following command: 

/opt/ldapux/ypldapd/sbin/ypldapd 

If YPLDAPD=1 in the file/etc/rc.config.d/ypldapd, use the following 
command: 

/sbin/init.d/ypldapd start 

To test al I servers on a subnet, repeat the above steps for each NIS server 
on the local subnet. 


Test the NIS/LDAP Gateway 

This section describes some simple ways you can test the installation and 
configurati on of your NIS/L DAP Gateway. You may need to do more 
elaborate and detailed testing, especially if you have a large 
environment. 
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The following procedure assumes you have created a new NIS domain 
called test-idap for testing purposes. Modify these commands as 
needed for your environment. 

Step 1. On an Nl S client system, log in as root and change the domain by editing 
the file/etc/rc.config.d/namesvrs. Change the line containing 
Nl S_DOM Al N to: 

NIS_DOMAIN=test-ldap 

Step 2. On the same NI S client system logged in as root, restart the NI S client 
process: 

/sbin/init.d/nis.client stop 
/sbin/init.d/nis.client start 

Step 3. Use the 11(1) command to examine any files and make sure the owner 
and group of each file are accurate: 

11 /tmp 

If any owner or group shows up as a number instead of a user or group 
name, respectively, the NIS/LDAP Gateway is not functioning properly. 

Step 4. Create a new file and change the file's owner to another user: 

cd /tmp 
touch file 
chown newuser file 
11 file 

where newuser is the name of a different user. The final 11(1) command 
should display the file owned by the new user. 

Step 5. Log in to the client system as an ordinary user, that is, a non-root user, in 
the directory and not in/etc/passwd. If this fails, see'Troubleshooting" 
on page 33. 

Step 6. Once you've logged i n as an ordi nary user, check to see if your NIS/L DAP 
Gateway is serving the Nl S client by giving the foil owing command on 
the client system: 

domainname 

Step 7. Display one of your maps with a command I ike the foil owing: 

ypcat group | more 

Step 8. Repeat steps 3 and 4 above logged in as an ordinary user. 
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Put the NIS/LDAP Gateway into Production 

This section describes how you can put the NI S/LDAP Gateway into 
production in your environment, after you've completed all the 
verification and testing you need, determined how you will administer 
your directory, and informed your user community about the change. You 
can stop each NIS server and start the NI S/LDAP Gateway server, one 
system at a time, completing each subnet one at a time. Modify these 
commands as needed for your environment. 

Step 1. If you decide to use Idappasswd, install it on the appropriate systems. 

Step 2. I nstalI the NIS/LDAP Gateway on an NIS server. 

Step 3. Copy the ypldapd.conf file from another NI S/LDAP Gateway server. 

Modify it, if necessary, for example if you have multiple directory servers 
to distribute the load among or to set the domain to your production 
domain. See "Configuration Parameters" on page 45 for details. 

Step 4. Stop the NIS server daemon on your NIS server system. Log i n to the 
server as root and enter the following command: 

/sbin/init.d/nis.server stop 

Step 5. Edit the file/eto'rc.config.d/namesvrs and change 

NIS_MASTER_SERVER=0 and NIS_SLAVE_SERVER=0. 

Step 6. If you want the NI S/LDAP Gateway to restart automatically after 
rebooting, edit the file/etc/rc.config.d/ypldapd and set YPLDAPD=1. 

Step 7. Start the NI S/LDAP Gateway server. If YPLDAPD=0 in the file 
/etc/rc.config.d/ypldapd, use the following command: 

/opt/ldapux/ypldapd/sbin/ypldapd 

If YPLDAPD=1 in the file/etc/rc.config.d/ypldapd, use the following 
command: 

/sbin/init.d/ypldapd start 

Step 8. Repeat steps 2 through 7 above for each NIS server on a subnet. See 

'Test the NI S/L DAP Gateway" on page 26 for suggestions on testi ng. I f 
you encounter any problems, see'Troubleshooting" on page 33. 
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This chapter describes how to administer the NI S/LDAP Gateway to 
keep it running smoothly and expand it as your computing environment 
expands. It describes the following topics: 

• "Starti ng and Stoppi ng the NIS/L DAP Gateway” on page 29 

• "Enabling Automatic Restart" on page 30 

• "Adding a Client System" on page 30 

• "I mproving Performance" on page 31 

• 'Troubleshooting"on page 33 


Starting and Stopping the NIS/LDAP Gateway 

H ow you start and stop the NI S/LDAP Gateway depends on whether 
automatic restarting is enabled in the file /eto'rc.config.d/ypldapd. See 
"Enabling Automatic Restart" on page 30for more information. 

Start the NI S/LDAP Gateway, logged in as root, with a command I ike one 
of the foil owing. 

If automatic restart is enabled (YPLDAPD=1 in/eto'rc.config.d/ypldapd), 
use the following command: 

/sbin/init.d/ypldapd start 

If automatic restart is disabled (YPLDAPD=0 in /etc/rc.config.d/ypldapd), 
use the following command: 

/opt/ldapux/ypldapd/sbin/ypldapd 

Stop the NIS/LDAP Gateway, logged in as root, with a command I ike one 
of the foil owing. 

If automatic restart is enabled (YPLDAPD=1 in /eto'rc.config.d/ypldapd), 
use the following command: 

/sbin/init.d/ypldapd stop 

If automatic restart isdisabled (YPLDAPD=0 in /etc/rc.config.d/ypldapd), 
use one of the fol Iowi ng commands: 
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kill $(cat /var/run/ypldapd.pid) # default pid file location 
kill pid 

where pid is the process identifier of theypldapd daemon. You can find 
this from the pidfile parameter in /opt/ldapux/ypldapd/etc/ypldapd.conf, 
(The default pidfile is/var/run/ypldapd.pid.) or by a command likethe 
following: 

ps -ef | grep ypldapd 

See'Theypldapd Command" on page 37 or theypldapd(8) man page for 
more information. 


Enabling Automatic Restart 

If you want the NI S/LDAP Gateway to restart automatically after 
rebooting the system, edit the file/etc/rc.config.d/ypldapd and set 
YPLDAPD=1. To disable automatic restarting, set YPLDAPD=0. 

See also "Starting and Stopping the NIS/LDAP Gateway" on page 29. 


Adding a Client System 

Adding an NI S/LDAP Gateway client is essentially the same as adding 
an NIS client except for Idappasswd or whatever means you give your 
users for changing their password and other personal information. 

For more information, see 'To Change Passwords” on page 59 and 'To 
Change Personal I nformation" on page 59 and 'The Idappasswd 
Command" on page 38. 

For NIS information see 'To Enable Nl S Client Capability" in I nstalling 
and Administering NFS Services available at 
http://docs.hp.com/hpux/communications. 
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I mprovi ng Performance 

This section lists some ways you can improve the performance of your 
NIS/LDAP Gateway server. 

Minimizing Enumeration Requests 

Enumeration requests are directory queries that request all of a map. 
For example, the command ypcat passwd is an enumeration request 
because it requests all of the passwd map. An ll command would not be 
an enumeration request since it only requests specific pieces of 
information from maps. 

Certain FI P-UX operations enumerate a map from the NI S/LDAP 
Gateway server. For example, csh(l) requests the entire group map at 
login, finger(l) requests the entire passwd map whenever it runs. 
Applications written with thegetpwent(3C) family of routines can 
enumerate a map. If these maps are large, these enumeration requests 
could cause other NIS/LDAP Gateway client requests to block waiting for 
the enumeration request tocomplete. For example, a user doing a simple 
11(1) command could see a delay in response if another user is logging in 
with csh(l) or using the finger(l) command. If the delay is long enough, 
the request may timeout and the client may try to rebind to another 
server. To minimize these situations, you may want to restrict use of the 
above mentioned commands. 

You can also improve performance of enumeration requests by 
preloading maps as described in "Preloading the Cache with NIS Maps" 
on page 32. 

Using Additional Processes to Handle Enumeration Requests 

One way to reduce the impact of enumeration requests is to allow 
ypldapdtofork separate processes to handle them thus avoiding tying up 
ypldapd for the duration of the enumeration requests. Do this by setting 
the maxchildren parameter. This parameter specifies the maximum 
number of processes ypldapd will fork when doing enumeration requests. 
See also "M aximum N umber of Processes" on page 54. 
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Caching 

This section discusses how the NI S/LDAP Gateway caches data from the 
directory and how you can control aspects of caching to improve 
performance. 

Enabling Caching 

The NI S/LDAP Gateway server can cache data from the directory to 
reduce the load on the directory and improve overall performance of NIS 
operations. You enable caching by setting the caching parameter in the 
ypldapd.conf file to on. See "Enable or Disable Caching" on page 53 for 
more information. 

Preloading the Cache with NIS Maps 

You can configure ypldapd to preload certain NIS maps into the cache. 
Preloading ensures the cache is always kept current with these maps. 
This is particularly beneficial for the passwd map and the group map as 
these are often the largest and most enumerated maps. H owever, the 
more maps you preload, the longer the NIS/LDAP Gateway takes to start 
up. 

Use the preload_cache parameter in ypldapd.conf. For example, the 
following command specifies preloading of the passwd.byname map and 
group.byname map: 

preload_cache passwd.byname group.byname 

For information on the preload_cache parameter see "Preload Maps into 
the Cache" on page 54. 


NOTE For best overall performance, you should turn off ypall_caching by 

setting the ypall_caching parameter to "no" in the file ypldapd.conf and 
use preloaded maps instead. See "Preload Maps into the Cache" on page 
54 for more information. 


Setting the Frequency of Cache Refreshing 

You can specify how often the cache is refreshed with the 
cache_dump_interval parameter as described in "Cache Lifetime" on 
page 53. All preloaded maps will be refreshed periodically, as specified 
by cache_dump_interval. Maps not preloaded will be flushed, not 
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refreshed. Future client requests will refill the cache. 

The cache_dump_value you use depends on how often you want the 
cache to be updated, how often information in your directory changes, 
and how large your preloaded maps are. The larger the 
cache_dump_interval, the less frequently the preloaded maps in the 
cache will be updated. The smaller thecache_dump_interval, the more 
frequently the preloaded maps in the cache will be updated. If you or 
another user updates the directory, the preloaded maps will not reflect 
the change until thecache is refreshed. Idappasswd, however, is a special 
case. When a user changes their password, Idappasswd marks that 
password entry i n the cache as stale. 

One strategy is to set the cache_dump_interval to 60 if your maps are 
greater than 1 megabyte. This will refresh the cache once an hour. If your 
maps are smaller then 1 megabyte, set the cache_dump_interval to 
something less than an hour. The more maps you preload, the larger 
your cache_dump_interval should be. 

Forcing a Refresh of the Cache 

You can use the foil owing command to force a refresh of the preloaded 
maps in thecache: 

kill -s SIGALRM $( cat /var/run/ypldapd.pid ) 

This assumes thefile/var/run/ypldapd.pid contains the process identifier 
of the ypldapd daemon. You configure this with the pidfile parameter i n 
the configuration file as described under "PID File" on page 56. 


Troubleshooting 

This section lists problems you may encounter, how to troubleshoot and 
solve them. 

Log Files 

You can check log files to see if any unusual incidents have occurred with 
the NIS/LDAP Gateway or your directory. The NI S/LDAP Gateway logs 
important events and errors tothefile/var/adm/syslog/syslog.log. The 
Netscape Directory Server for H P-UX logs information to files in the logs 
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directory under A/ar/opt/netscape/server4/slapd-<serueriD>where 
slapd-<serverJD> is the name of your directory server. 

User Cannot Log on to Client System 

If a user cannot log in to a client system, perform the foil owing checks. 

• Make sure the NIS/LDAP Gateway daemon, ypldapd, is running. Use 
the foil owing command: 

ps -ef | grep ypldapd 

If it is not running, restart it as described in "Starting and Stopping 
the NIS/LDAP Gateway"on page 29. 

• Makesurethe NIS daemon, ypserv, is not running. Use the foil owing 
command: 

ps -ef | grep ypserv 

If it is running, stop it with a command I ike the foil owing: 

/sbin/init.d/nis.server stop 

• Make sure ypldapd can authenticate to the directory. If you are using 
a proxy user (determined by thebinddn parameter in the file 

/opt/Idapux/ypldap/etc/ypldapd.conf), try searching for one of your 
user's information in the directory with a command I ike the following: 

-D "uid=proxy-user,ou=people,o=hp.com" -h servername -w passwd -b 
uid =username 

usi ng the name of your di rectory server, proxy user, user name, and 
password. 

You should get output with a line I ike the foil owing: 

userpassword={crypt}d921F18SMksl2k2 4 

If you don't, your proxy user may not be configured properly. Make 
sure you have access permissions set correctly for the proxy user. See 
"Configure Your Directory" on page 20 for details on configuring the 
proxy user. 

You can also try binding to the directory as the directory 
administrator and reading the user's information. 

• Use the Netscape Directory Consoleto authenticate to the directory 
as the directory administrator. Check the ACLs for the proxy user. 
Make sure the proxy user can view the userpassword attribute and 
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ldapsearch -b 


all the attributes listed below. If not, changethe ACI to allow this. 
Makesureall users can readtheirown information. If they cannot, 
change the ACI to allow this. 

Makesureall users have the foil owing attributes and can read them: 

— posixaccount 

— loginshell 

— uidnumber 

— uid 

— gidnumber 

— member uid 

— homedi rectory 

• Make sure UNIX crypt is the default encryption. Verify in Netscape 
with a command I ike the following: 

"o=hp.com" -D "AdminDN" -w "AdminPw" uid=u sername 

where AdminDN is the directory administrator's relative distinguished 
name, AdminPw is the administrator's password, and username is the 
name of a user in the directory. The user must be an inetorgperson or 
posixaccount. 

The output should show something I ike the foil owing: 

userPassword: {crypt}3Adkd9D2s9234sf 

If it shows either of the foil owing: 

userPassword: {sha}3Adkd9D2s9234sf 
userPassword: mypassl23 

change it to use crypt encryption, sha indicates secure hash 
algorithm encryption and no bracketed text indicates a clear text 
password. 

You can also check the default encryption in the Directory Console. 
Select the Configuration tab, then select the "Database" object, then 
the Passwords tab, and check the Password encryption field. 

• Make sure that hidden passwords are disabled. The 
hide_passwords parameter in ypldapd.conf should be set to no. 

• Try restarting the client with a command I ike the foil owing: 

/sbin/init.d/nis.client stop 
/sbin/init.d/nis.client start 
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Command and Tool Reference 


This chapter describes all the commands and tools associated with the 

NI S/LDAP Gateway: 

• 'Theypldapd Command” on page 37 describes the NI S/LDAP 
Gateway daemon and command and its parameters. 

• 'The Idappasswd Command" on page 38 describes the command that 
changes passwords in your directory. 

• "LDAP Directory Tools" on page 40 briefly describes the tools 
Idapsearch, Idapmodify, and Idapdelete. 

• "N IS to LDAP Migration Scripts" on page 41 describes the shell and 
perl scripts that migrate your NIS data to your LDAP directory. 

• "Configuration Parameters" on page 45 describes the various 
parameters for configuring ypldapd in the file ypldapd.conf. 


Theypldapd Command 

This section describes the ypldapd command and its parameters. See 
also the ypldapd(l) man page. 

ypldapd is the command you use to start the NI S/LDAP Gateway 
daemon. It is a server process that provides information to any process 
that makes rpc calls to the Nl S client routines. This includes any process 
that calls the standard UNIX naming service routines, such as 
getpwent(3C), gethostent(3C) and so forth, as well as the special tools 
ypcat(l) and ypmatch(l) provided as part of the NIS product. 

ypldapd emulates the equivalent process ypserv by providing an RPC 
cal I-compatible interface. Rather than consulting NIS map files as 
ypserv does, however, ypldapd gets its data from LDAP directories. 
Communication to and from ypldapd is by means of RPC calls. Lookup 
functions are described in ypclnt(3N), and aresupplied asC-callable 
functions in /lib/libc. 

You can configure ypldapd to cache the information it gets from the 
LDAP directory to improve performance and reduce network traffic. For 
more information on caching, see "I mproving Performance" on page 31. 
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Syntax 

ypldapd [-v] [-c configfile ] 

where 

-v displays the version number of the software. I nclude 

this number when reporting problems. 

-c configfile allows you to specify an alternate configuration file. 
The default configuration file is 
/opt/ldapux/ypldapd/etc/ypldapd.conf. 

You must execute this command logged in as root. See also "Starting and 
Stopping the NI S/LDAP Gateway" on page 29. 

Examples 

The following command starts the NI S/LDAP Gateway daemon: 

/opt/ldapux/ypldapd/sbin/ypldapd 

The following command starts the Nl S/LDAP Gateway daemon using 
/tmp/ypldapd.conf as its configuration file: 

/opt/ldapux/ypldapd/sbin/ypldapd -c /tmp/ypldapd.conf 

See also "Starting and Stopping the NI S/LDAP Gateway" on page 29. 


The Idappasswd Command 

This section describes the Idappasswd command and its parameters. 

The Idappasswd program, installed in /opt/Idapux/bin, allows users to 
change their passwords in the directory. Changing a user's password 
with Idappasswd marks the cache entry for that user as stale, if caching 
is enabled. Idappasswd assumes an LDAP directory server that supports 
£rypt}format. (For more information, see passwd(l) and crypt(3C).) 

Syntax 

Idappasswd [options] 

where options can be any of the fol I owi ng: 
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-b basedn 


-h host 


-v 

-p port 
-D binddn 
-w passwd 

-1 login 


specifies basedn as the base distinguished name of 
where to start searching. If ypldapd is running, then 
this is not required. 

specifies host as the LDAP server name or IP address. 
If ypldapd is running, then this is not required. 

generates an encrypted password on the client. Use 
this parameter for directories that do not automatically 
encrypt passwords. The default is to send the new 
password in plain text to the directory. Netscape 
Directory Server 4.x for H P-UX supports automatic 
encryption of passwords. 

pri nts the software version and exits. 

specifies port as the LDAP server TCP port number. 

specifies binddn as the bind distinguished name. 

specifies passwd as the bind password (for simple 
authentication). 

specifies login as the uid of the account to change; 
defaults to the current user. 


If theNIS client is configured to an NI S/LDAP Gateway server, the-b, -h, 
-p, -D, -w, and -I options are not required. These options are useful for 
changing a password from a system that is not an Nl S client or for 
changing another user's password. 


Examples 

The following command changes the password in the directory for the 
currently logged in user: 

Idappasswd 

The following command changes the password in the directory for the 
user steves: 

Idappasswd -1 steves 
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LDAP Directory Tools 

This section briefly describes the tools Idapsearch, Idapmodify, and 
Idapdelete. These tools are described in detail in the Netscape Directory 
Server for HP-UX Administrator's Guide available at 
http://docs.hp.com/hpux/internet. 

Additional tools are available in the directory/opt/ldapux/contrib/bin, 
however these tools are unsupported. See the file 
/opt/ldapux/contrib/bin/README for more information. 

Idapsearch 

You use the Idapsearch command-line utility to locate and retrieveLDAP 
directory entries. This utility opens a connection to the specified server 
using the specified distinguished name and password, and locates 
entries based on thespecified search filter. Search results are returned in 
LDIF format. For details, seethe Netscape Directory Server for HP-UX 
Administrator's Guide available at http://docs.hp.com/hpux/internet. 

Idapmodify 

You use the Idapmodify command-line utility to modify entries in an 
existing LDAP directory. Idapmodify opens a connection to the specified 
server using the distinguished name and password you supply, and 
modifies the entries based on the LDI F update statements contained in a 
specified file. Because Idapmodify uses LDI F update statements, 
Idapmodify can do everything Idapdelete can do. For details, seethe 
Netscape Directory Server for H P-UX Administrator's Guide available at 
http://docs.hp.com/hpux/internet. 

Idapdelete 

You use the delete command-line utility to delete entries from an 
existing LDAP directory. Idapdelete opens a connection to the specified 
server using the distinguished name and password you provide, and 
deletes the entry or entri es. For detai Is, see the N etscape D i rectory Server 
for HP-UX Administrator'sGuideavailableat 
http://docs.hp.com/hpux/internet. 
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NIS to LDAP Migration Scripts 

This section describes the shell and perl scripts that can migrate your 
NIS data either from source files or Nl S maps to your LDAP directory. 
These scripts are found in /opt/Idapux/migrate. The two shell scripts 
migrate_all_online . sh and migrate_all_nis_online . sh migrate all 
your NIS maps, while the perl scriptsmigrate_aiiases.pl, 
migrate_group.pl, migrate_hosts .pi, and so forth, migrate individual 
NIS maps. The shell scripts call the perl scripts. 

The migration scripts require perl, version 5 or later, which is installed 
with the NI S/LDAP Gateway in /opt/ldapux/contrib/bin/perl. 

Naming Context 

The nami ng context specifies where i n your di rectory your NIS data wi 11 
be, under the base DN. For example, if your base DN is 
"ou=N I S,o=hp.com," the passwd map would be at 
"ou=People,ou=NI S,o=hp.com". Table 4-1 shows the default naming 
context. The default will work in most cases. 

Default Naming Context 


Map Name 

Location in the Directory Tree 

passwd 

ou=People 

group 

ou=Groups 

aliases 

ou=mailGroups 

fstab 

ou=Mounts 

netgroup.byuser 

nisMapName=netgroup.byuser 

netgroup.byhost 

nisMapName=ngetgroup.byhost 

netgroup 

ou=Netgroups 

hosts 

ou=Devices 

networks 

ou=tcpIp 

protocols 

ou=tcp!p 
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NOTE 


Default Naming Context 


Map Name 

Location in the Directory Tree 

rpc 

ou=tcpIp 

services 

ou=tcp!p 


If you change the default naming context, modify the file 
migrate_common.ph and change it to reflect your naming context. You 
must also change the file/opt/ldapux/ypldapd/etcynamingcontexts.conf. 
See also "Naming Context Mappings" on page 47. 

Migrating All Your Files 

The two shell scripts migrate_all_online.sh and 
migrate_aii_nis_oniine.sh migrate all yourNIS maps either to L DIF 
or intoyour directory. The migrate_aii_oniine.sh shell script gets NIS 
information from the appropriate source files, such as /etcypasswd, 
/etc/group, /etc/hosts, and so forth. Themigrate_all_nis_online.sh 
script gets NIS information from your NIS maps using the ypcat(l) 
command. The scripts take no parameters but prompt you for needed 
information. They also prompt you for whether to leave the output as 
LDIF or to add the entries to your directory. These scripts call the perl 
scripts described under "Migrating I ndividual Files" on page 43. You 
may need to modify these scripts to work in your environment. 


The scripts use Idapmodify to add entries to your directory. If you are 
starting with an empty directory, it may be faster for you to use idif2db 
or ns-siapd idif2db with the LDIF file. Seethe Netscape Directory 
Server Administrator's Guidefor details on idlf2db and ns-siapd. 

If any entry in the migrated LDI F file is already in your directory, the 
script will stop at that point. The entries previous to the duplicate will be 
in the directory. To continue, you can edit the LDI F files to remove the 
entries already added up to the duplicate, resolve the duplicate, then 
continue adding the remaining entries. Alternatively you can remove the 
entries from the directory that werealready added, resol vethe duplicate, 
then re-add all the entries from the LDI F file. 
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Migrating Individual Files 

The following perl scripts migrate each of your NIS source files in /etc to 
LDIF. These scripts are called by the shell scripts described under 
"Migrating All Your Files" on page 42. The perl scripts get Nl S 
information from the input source file and output LDIF. 

E nvi ronment Variables 

When using the perl scripts to migrate individual files, you need to set 
the following environment variable: 

LDAP_BASEDN The base distinguished namewhereyou want your 
data. 

For example, the following command sets the base DN to "o=hp.com": 

export LDAP_BASEDN=''o=hp. com" 

General Syntax for Perl Migration Scripts 

All the perl migration scripts use the foil owing general syntax: 

scriptname input file [ outputfile ] 

where 

scriptname is the name of the particular script you are using. The 
scripts are listed below. 

input file is the name of the appropriate NIS source file 
correspondi ng to the scri pt you are usi ng. 

outputfile is optional and is the name of the file where the LDIF 
is written, stdout is the default output. 

Migration Scripts 

The migration scripts are: 

• migrate_aiiases.pl migrates aliases in /etc/aliases to LDI F 
information, conforming to the RFC 822 MailGroup schema. 

• migrate_base.pl creates base DN information. 

• migrate_fstab.pl migrates file system information in/etc/fstab. 

• migrate_group.pl migrates groups in /etc/group. 

• migrate_hosts .pi migrates hosts in /etc/hosts. 


Chapter 4 


43 



Command and Tool Reference 

NIS to LDAP Migration Scripts 


• migrate_netgroup.pl migrates netgroups in /etq'netgroup. 

• migrate_netgroup_byhost. pi migrates the netgroup.byhost map. 
This script must be run as root because it calls/usr/sbin/revnetgroup. 

• migrate_netgroup_byuser. pi migrates the netgroup.byuser map. 
This script must be run as root because it calls/usr/sbin/revnetgroup. 

• migrate_networks .pi migrates networks in /etc/networks. 

• migrate_passwd.pl migrates users in /etc/passwd. 

• migrate_protocois.pl migrates protocols in /etc/protocols. 

• migrate_rpc.pl migrates RPCs in /etc/rpc. 

• migrate_services .pi migrates services in /etc/services. 

• migrate_common.ph is a set of routines and configuration 
information all the perl scripts use. 

Examples 

The following are some examples using the migration scripts. 

The following command converts all Nl S files in /etc to LDIF: 

$ migrate_all_online.sh 

The following commands convert /etc/passwd into LDI F and output it to 
stdout: 

$ export LDAP_BASEDN="dc=aceindustry, dc=com" 

$ migrate_passwd.pl /etc/passwd 

dn: uid=jbloggs,ou=People,dc=aceindustry, dc=com 

uid: jbloggs 

cn: Joe Bloggs 

objectclass: top 

objectclass: posixAccount 

objectclass: account 

userPassword: {crypt}daCXgaxahRNkg 

loginShell: /bin/ksh 

uidNumber: 20 

gidNumber: 20 

homeDirectory: /home/jbloggs 
gecos: Joe Bloggs,42U-C3,555-1212 
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The following commands convert /etc/group into LDIF and placethe 
result in /tmp/group.ldif: 

$ export LDAP_BASEDN="o=hp.com" 

$ migrate_group.pl /etc/group /tmp/group.ldif 

dn: cn=mira.aceindustry.com,ou=Groups,o=hp.com 

objectclass: posixGroup 

objectclass: top 

ipHostNumber: 10.1.70.5 

cn: mira 

cn: www.hp.com 

cn: mira.hp.com 

userPassword: {crypt}* 

gidNumber: 325 

The following command migrates /etc/hosts: 

migrate_hosts.pl /etc/hosts 


Configuration Parameters 

You can change the NI S/LDAP Gateway's run-time configuration 
parameters in the file/opt/ldapux/ypldapd/etc/ypldapd.conf. This section 
describes these parameters in detail. 


NOTE Because the configuration file contains a password, you should protect it 

by making the file only accessible by root. Use a command I ike the 
following: 

chmod 600 ypldapd.conf 


Changing Configuration Parameter Values 

You can change configuration parameter values by editing the 
/opt/ldapux/ypldapd/etc/ypldapd.conf file. Each entry in the file consists 
of a key word, followed by white space, followed by the value for that 
parameter. Any line starting with a pound sign or hash symbol (#) is 
treated as a comment and ignored. 
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NIS Domain to Serve 

Specifies the Nl S domain that the NI S/LDAP Gateway serves. See 
domainname(l) for more information. 

Required. 

Syntax 

ypdomain domain-name 

where domain-name is the domai n name ypldapd is to serve. 

Example 

ypdomain dev-team 

LDAP Server Name 

Specifies the host name of your LDAP server. The host's IP address must 
be resolvable without consulting NIS (through NIS or /etc/hosts) or 
specified in dotted decimal notation, to avoid reentrancy problems. It is 
suggested you use a DNS name (and configure/eto'nsswitch.conf to 
perform host lookups in DN S before NIS) or an IP address. 

Required. 

Syntax 

Idaphost server-name 

where server-name is a host name or IP address. 

Example 

Idaphost nis-ldap 
Idaphost 15.0.96.234 

LDAP Protocol Version 

Specifies the version of the LDAP protocol your directory server is using. 
Optional. 
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Default Value 

2 

Valid Range 

2 I 3 

Syntax 

Idapversion integer 

Example 

Idapversion 3 

Search Base DN 

Specifies the Distinguished Name in your directory where the NI S/LDAP 
Gateway should begin all searches. 

Required. 

Syntax 

basedn dn 

Example 

basedn o=hp.com 

basedn dc=aceindustry, dc=com 

Naming Context Mappings 

Specifies the file containing name mappings from NIS names to 
distinguished names in your directory. The default mappings are in the 
file/opt/ldapux/ypldapd/etc/namingcontexts.conf. The default mappings 
will work in most cases. Edit this file if you put your NIS data in other 
than the default places. See also "Naming Context" on page 41. 

Optional. 

Default Value 

nami ngcontexts nami ngcontexts.conf 
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where namingcontexts.conf is found in /opt/Idapox/ypldapd/etof 

Syntax 

namingcontexts filename 

Example 

nami ngcontexts nami ngcontexts.conf 

Bind DN 

Specifies the distinguished name of the proxy user the NI S/LDAP 
Gateway uses to bi nd to the di rectory. 

Optional. 

Default value 

The default is to bind anonymously. 

Syntax 

binddn dn 

Example 

binddn cn=Directory Manager 

binddn cn=proxyuser, ou=people, oHnp.com 

Bind DN Password 

Specifies the credentials or password of the proxy user the NI S/LDAP 
Gateway uses to bind to the directory. See "Bind DN" above. 

Optional, but required if using a proxy user. 

NOTE You should protect this password in your configuration file by making the 

file ypldapd.conf only accessible by root with a command I ike the 
following: 

chmod 600 ypldapd.conf 
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Syntax 

hindered credential 

Example 

hindered Idapl234 

LDAP Port 

Specifies the TCP port number for the NI S/LDAP Gateway to connect to 
your LDAP directory server. 

Optional. 

Default 

389 

Syntax 

Idapport integer 

Example 

Idapport 6249 

LDAP Search Scope 

Specifies how deep the NI S/LDAP Gateway should go when searching 
your directory. 

Optional. 

Default 

sub 

Valid Range 

sub | one| base 
where: 

• sub means the NI S/LDAP Gateway is to search the base DN andallof 
its descendants; that is, the entire subtree. 
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• one means search only the immediate children of the base DN; that is, 
one level down. 

• base means search only the base DN. This value should not be used as 
it is too restrictive, effectively preventing searching below the base 
DN. 

Syntax 

scope level 

Example 

scope one 

LDAP Alias Dereference Policy 

Specifies how the NI S/LDAP Gateway should handle aliases when 
searching your LDAP directory server. 

Optional. 


NOTE Netscape Directory Server for H P-UX implements referrals instead of 

alias dereferencing. Seethe Netscape Directory Server Deployment Guide 
for details on referrals. 


Default 

deref never 

Valid Range 

never | find | search | always 
where: 

• never means the NI S/LDAP Gateway should never dereference 
aliases. 

• find means dereference only when finding an alias. 

• search means dereference only when searchi ng. 

• always means dereference always. 


50 


Chapter 4 





Command and Tool Reference 

Configuration Parameters 


Syntax 

deref level 

Example 

deref never 

Fall Through to NIS 

Specifies whether the NI S/LDAP Gateway should search an Nl S domain 
if the requested information is not found in the LDAP directory. 

Optional. 

Default 

extended on 

Valid Range 

on | off 

Syntax 

extended Boolean 

Example 

extended off 

Parent NIS Domain 

Specifies the Nl S domain to fall through to if the needed information is 
not found in the directory. Maps not supported by the NI S/LDAP 
Gateway and maps already fulfilled by the directory will be 
supplemented by binding to the specified NIS parentdomain. 

Optional. 

Syntax 

parentdomain domainname 
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Example 

parentdomain nisusers 

Fall Through to DNS 

Specifies whether the NI S/LDAP Gateway should search a DNS server if 
the requested host information is not found in the LDAP directory. 

Optional. 

Default 

dnsjookups on 

Valid Range 

on | off 

Syntax 

dnsjookups Boolean 

Example 

dnsjookups off 

Search Time Limit 

Specifies how long, in seconds, the NI S/LDAP Gateway should search the 
di rectory before aborti ng the search operation. 

Optional. 

Default 

The default is no timeout. 

Valid Range 

Oto 2 32 (0 means no time limit on searches.) 

Syntax 

timelimit integer 
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Example 

timelimit 6000 

Enable or Disable Caching 

Specifies whether the NI S/LDAP Gateway should cache information 
from the directory. See "Caching" on page 32 for more information. 

Optional. 

Default 

caching on 

Valid Range 

on | off 

Syntax 

caching Boolean 

Example 

caching off 

Cache Lifetime 

Specifies how often, in minutes, the NI S/LDAP Gateway should refresh 
the preloaded maps in the cache and flush all other maps from the cache. 
See "Setting the Frequency of Cache Refreshing" on page 32 for more 
information. 

Optional. 

Default 

cache_dump_interval 15 

Valid Range 

0 to 2 32 (0 means never refresh the cache.) 
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Syntax 

cache_dump_interval integer 

Example 

cache_dump_interval 30 

Preload Maps into the Cache 

Specifies what maps, if any, should be preloaded into the cache. Caching 
must be enabled with the caching parameter as described in "Enable or 
Disable Caching" on page 53. See also "Caching" on page 32. 

Optional. 

Default 

No maps preloaded into the cache. 

Syntax 

preload_cache mapname [mapname2 [... mapnameN]] 

Recommended 

preload_cache group.byname 

Example 

preload_cache passwd group hosts 

Maximum Number of Processes 

Specifies the maximum number of processes to fork for enumeration 
requests. See "Minimizing Enumeration Requests"on page 31 for more 
information. 

Optional. 

Default 

maxchildren 0 
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Recommended 

5 or greater 

Syntax 

maxchildren integer 

Example 

maxchildren 10 

Use Caching for Enumeration Requests 

Specifies whether enumeration requests use caching. Filling the cache on 
an enumeration request can tie up the NI S/LDAP Gateway daemon for a 
longtime, delaying service of other NIS requests, causing clients to fail 
or rebind to another server. 


NOTE You should preload maps instead of caching enumeration requests. See 

"Preload Maps into the Cache" on page 54. See also "Minimizing 
Enumeration Requests" on page 31 for more information. 


Optional. 

Default 

ypalReaching off 

Valid Range 

on | off 

Recommended 

ypalReaching off 

Syntax 

ypalReaching Boolean 
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Example 

ypall_caching off 

NIS Master Host Name 

Specifies the NIS domain the ypwhich command should return. By 
default, ypwhich returns the name of the local host. 

Optional. 

Syntax 

ypmaster hostname 

Example 

ypmaster nisserver 

PID File 

Specifies the file in which to write the process identifier (PI D) for the 
NI S/LDAP Gateway daemon, ypldapd. If you don't specify a full path, the 
file is placed in the root directory, /. 

Optional. 

Default 

pi dfi I e /va r/r u n/ypl dapd. pi d 

Recommended 

pi dfi I e /va r/r u n/ypl dapd. pi d 

Syntax 

pi dfi I e filename 

Example 

pidfile/tmp/ypldapd.pid 
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Enable or Disable Shadow Passwords 


NOTE Shadow passwords are not supported in this release. 

You must set this parameter to no or you will not be able to log in. 


Default 

hide_passwords no 

Valid Range 

yes| no 

Syntax 

hide_passwords Boolean 

Example 

hide_passwords no 
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User Tasks 


This chapter describes the foil owing tasks your users will need to do: 

• 'To Change Passwords” on page 59 

• 'To Change Personal I nformation" on page 59, such as login shell, 
phone number and location 


To Change Passwords 

On H P-UX, users change their passwords with the passwd(l) command 
which changes /etc/passwd or the NIS maps or the yppasswd(l) 
command which changes the NIS maps. With users' passwords in the 
directory, they must use a different method of changing their password. 

Users change their password with the Idappasswd command. This 
command is similar to the yppasswd command. It changes a user's 
password in the LDAP directory. For details on this command, see 'The 
Idappasswd Command" on page 38. 

You can make Idappasswd availableto your users by installing it on all 
your client systems or putting it on a central system accessible to your 
users. 

Alternatively, your users can use a simple LDAP gateway through a web 
browser connected to the directory to change their password. The 
advantage to this method isthat they can also change their other 
personal information as described below. 


To Change Personal Information 

On HP-UX, users change their personal information (or gecos 
information) such as full name, phone number, and location with the 
chfn(l) command which changes/etcypasswd or the NIS maps. HP-UX 
users change their login shell with the chsh(l) command, which also 
changes /etc/passwd or the NIS maps. With this personal information in 
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To Change Personal Information 


the directory, they must use a different method to change it. 

If you have Netscape Directory Server for H P-UX, you can use the 
Netscape Console or the Idapmodify command to change personal 
information. Or you can use a simple LDAP gateway through a web 
browser to display and change this information. 
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Glossary 


See also the Glossary in the 
N etscape Di rectory Server for 
HP-UX Administrator's Guide 
avail able at 

http://docs.hp.com/hpux/internet. 

Access Control Instruction A 

specification controlling access to 
entries in a directory. 

Access Control List One or more 
AC Is. 

ACI See Access Control Instruction 

ACL See Access Control List. 

IETF I nternet Engineering Task 
Force; the organization that 
defines the LDAP specification. 

See http://www.ietf.org. 

LDAP See Lightweight Directory 
Access Protocol 

LDIF See LDAP Data I nterchange 
Format 

LDAP Data Interchange 
Format (LDIF) The format used 
to represent directory server 
entries in text form. 

Idappasswd A command to 
change a user's password in the 
LDAP directory. 


Lightweight Directory Access 
Protocol (LDAP) A standard, 
extensible set of conventions 
specifying communication between 
clients and servers across TCP/I P 
network connections. Seealso 
SLAPD. 

Network Information Service 
(NIS) A distributed database 
system providing centralized 
management of common 
configuration files, such as 
/etc/passwd and /etc/hosts. 

NIS SeeNetwork Information 
Service 

RFC Request for Comments; a 
document and process of 
standardization from the IETF. 

RFC 2307 The I ETF specification 
for using LDAP as a Network 
Information Service; required by 
the NI S/LDAP Gateway. See 
http://www.ietf.org/rfc/rfc2307.txt. 

SLAPD The University of 
Michigan's stand-alone 
implementation of LDAP, without 
the need for an X.500 directory. 

ypldapd The NI S/LDAP Gateway 
daemon. 11 repl aces the NIS ypserv 
daemon by accepting NIS client 
requests and getti ng the requested 
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information from an LDAP 
di rectory rather than from NIS 
maps. 
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